[ale] Verifying a MD5 password?

cfowler cfowler at outpostsentinel.com
Thu Feb 27 15:30:43 EST 2003





On Thu, 2003-02-27 at 14:59, Robert L. Harris wrote:
> 
> 
> crypt does md5 now?


GNU EXTENSION
       The glibc2 version of this function has the following additional 
       features.  If salt is a character string starting  with the three
       characters "$1$" followed by at most eight characters, and
       optionally terminated by "$", then instead of using the DES
       machine, the glibc crypt function uses an MD5-based algorithm,
       and outputs up to 34 bytes, namely "$1$<string>$", where
       "<string>" stands for the up to 8 characters following "$1$" in
       the salt, followed by 22 bytes chosen from the set
       [a-zA-Z0-9./].  The entire key is significant here (instead of
       only the first 8 bytes).
       Programs using this function must be linked with -lcrypt.


> 
> Thus spake cfowler (cfowler at outpostsentinel.com):
> 
> > use crypt(3).  It is the most commonly used to do this kinda thing.
> > 
> > if(strcmp(encrypted,
> >  crypt("this is my plain-text password", encryptedpassed)) == 0) {
> >   printf("Password Match");
> > } else {
> >   printf("Invalid password");
> > }
> > 
> > Perl may have the capability to use crypt.
> > 
> > 
> > On Thu, 2003-02-27 at 14:52, Robert L. Harris wrote:
> > > 
> > > 
> > > We're trying to write a script that can verify passwords against md5
> > > password entries.  We've got a good mechanism to get the password from
> > > /etc/shadow but something in the actual computation of the md5 hash of
> > > the user input is not right.
> > > 
> > > Anyone have a good command line or HOWTO I can read through?
> > > 
> > > A couple combinations we've tried:
> > > 
> > > salt=spudpeel
> > > password=foo
> > > 
> > > #
> > > echo -n "foospudpeel" | openssl md5 -binary | openssl base64
> > > u9FAH8zsyXmwYX3pBqLd6Q==
> > > 
> > > # trying with a base64 encoded salt
> > > echo -n "foodc3B1ZHBlZWw=" | openssl md5 -binary | openssl base64
> > > JmyoP+AVagwGzN0uLF4Mow==
> > > 
> > > 
> > > We've only found a couple docs on how the md5 password hash's are
> > > generated, nothing that flat out says "do x, do y, do z, shove it in a
> > > file"...
> > > 
> > > Robert
> > > 
> > > 
> > > 
> > > :wq!
> > > ---------------------------------------------------------------------------
> > > Robert L. Harris                     | PGP Key ID: E344DA3B
> > >                                          @ x-hkp://pgp.mit.edu 
> > > DISCLAIMER:
> > >       These are MY OPINIONS ALONE.  I speak for no-one else.
> > > 
> > > Diagnosis: witzelsucht  	
> > > 
> > > IPv6 = robert at ipv6.rdlg.net	http://ipv6.rdlg.net
> > > IPv4 = robert at mail.rdlg.net	http://www.rdlg.net
> > -- 
> > "The Law of Leaky Abstractions"
> > There is a time where abstractions lead to the inablity to 
> > fix problems that leak through the abstraction.
> > http://www.joelonsoftware.com/articles/LeakyAbstractions.html
> > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> 
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris                     | PGP Key ID: E344DA3B
>                                          @ x-hkp://pgp.mit.edu 
> DISCLAIMER:
>       These are MY OPINIONS ALONE.  I speak for no-one else.
> 
> Diagnosis: witzelsucht  	
> 
> IPv6 = robert at ipv6.rdlg.net	http://ipv6.rdlg.net
> IPv4 = robert at mail.rdlg.net	http://www.rdlg.net
-- 
"The Law of Leaky Abstractions"
There is a time where abstractions lead to the inablity to 
fix problems that leak through the abstraction.
http://www.joelonsoftware.com/articles/LeakyAbstractions.html

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list